LiveActive security incident?Get immediate response
CVE Record

CVE-2020-3117: Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability

A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance (WSA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to inject crafted HTTP headers in the web server's response. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL and receive a malicious HTTP response. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to a user's browser.

MediumCVSS 4.7Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2020-3117 lets a remote unauthenticated attacker inject HTTP headers into responses from affected Cisco security appliances if they can persuade a user to open a crafted URL. The direct impact is limited to response integrity, not confirmed data theft or outage.

Executive priority

Treat this as a medium-priority appliance hygiene issue. It is not confirmed exploited and has limited integrity impact, but affected security infrastructure should be checked and updated under normal vulnerability management timelines.

Technical view

Cisco describes insufficient input validation in the API Framework of AsyncOS for Cisco WSA and SMA. The flaw is CWE-113 HTTP header injection. CVSS 3.0 is 4.7 with network access, low attack complexity, no privileges, required user interaction, changed scope, and low integrity impact.

Likely exposure

Exposure is most relevant to organizations running Cisco Web Security Appliance or Content Security Management Appliance with the affected AsyncOS API Framework. Risk increases where appliance web interfaces are reachable by users who could be lured to crafted URLs.

Exploitation context

The provided sources do not show active exploitation, and the CVE is not marked KEV. Exploitation requires user interaction: an attacker must persuade a user to access a crafted URL and receive a manipulated HTTP response.

Researcher notes

Evidence is limited to the CVE metadata and Cisco advisory reference. Do not assume affected versions, exploit availability, or fixed releases beyond Cisco’s published guidance. The key technical behavior is response header injection after crafted URL interaction.

Mitigation direction

  • Inventory Cisco WSA and SMA deployments and their AsyncOS versions.
  • Review Cisco’s advisory for fixed releases or official workarounds.
  • Apply Cisco-provided updates or mitigations where applicable.
  • Limit appliance web/API access to trusted administrative networks while assessing.
  • Monitor Cisco PSIRT and CVE updates for revised guidance.

Validation and detection

  • Confirm whether any deployed WSA or SMA matches Cisco’s affected product scope.
  • Check installed AsyncOS versions against Cisco advisory guidance.
  • Verify appliance web/API interfaces are not broadly exposed.
  • Review logs for suspicious crafted URL access patterns where available.
  • Document remediation status and remaining compensating controls.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-113: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-3117 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.7 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.7CVSS 3.0MediumCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N2.81.4Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

4.7Medium
CVSS 3.0 vector shape for CVE-2020-3117Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Web Security Appliance (WSA)n/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-113 · source CWE mapping

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.